Two Security Techniques for Mobile Code

Rex Min

Code signing and sandboxing offer two different paradigms for securing mobile code. Sandboxing uses compilers and code checkers that actively forbid potentially malicious activities. Code signing verifies the source and the integrity of incoming mobile code. Based upon this information, the user is responsible for authorizing its execution.

A security system that "actively prevents" malicious code from running would be desirable. What is meant by this criterion? An example of active prevention is Java's use of sandboxing. Metaphorically, Java builds a barrier — the so-called sandbox — around each thread of mobile code and prevents malicious code from operating beyond the constraints of the barrier. For instance, incoming objects are scoped in such a way that they can not override and spoof a local object. Classic signs of malicious intent, such as out-of-bounds memory accesses, are prevented by the compiler. A byte code verifier on the local machine verifies once again that incoming byte code does not engage in these suspicious behaviors. In short, a sandboxing system treats mobile code as untrusted and restricts its functionality accordingly.

It is now clear that code signing follows a completely different paradigm. Code signing does not actively prevent malicious code from running. Any mobile code that is properly signed and accepted by the local user will be allowed to run. Instead, code signing relies on a different paradigm for enhancing security — authentication. "Signed" code is encrypted with the authenticator's private key. Hence, the code is guaranteed to have originated from a known source and to have been unmodified between the sender and the recipient. The premise of security via authentication is that no one would deliberately release malicious code with their signature, for fear of legal and other repercussions. Properly signed mobile code from reputable sources can thus be trusted by the user, allowing the mobile code to run with fewer constraints on functionality. Instead of relying on a sandbox around untrusted code, code signing attempts to verify that mobile code is originating from sources "trusted" by the user.

Code signing does not actively prevent malicious code from executing. However, this does not mean that code signing is inherently inferior to sandboxing. Code signing is based upon authentication, a useful security tool. Furthermore, the construction of a perfect sandbox is next to impossible, due to the difficulty of sealing loopholes and covert channels. As seen in the latest development versions of Java and ActiveX, a careful combination of both techniques seems to be the best choice for the future.